An incorrect privilege assignment flaw exists in the DELUCKS SEO WordPress plugin. The vulnerability allows a user with insufficient privileges to gain higher level capabilities, effectively enabling an attacker to perform actions normally reserved for administrators. The fault aligns with CWE‑266 and could lead to full control over the WordPress site, compromising data confidentiality, integrity, and availability.

The flaw is present in all releases of the DELUCKS SEO plugin from the earliest version through version 2.6.0. Any WordPress site that has installed this plugin and has not upgraded past 2.6.0 is potentially affected. The plugin functions within the standard WordPress environment, so any site using this plugin is at risk.

The CVSS score of 8.8 denotes a high severity vulnerability, while the EPSS score of less than 1% indicates a low likelihood of current exploitation. The vulnerability is not represented in the CISA KEV catalog. Based on the description, it is inferred that the attack vector likely involves a normal user interacting with the plugin’s administrative interface or issuing a crafted request that triggers the privilege misassignment. An attacker would need authenticated access to the site, but the exploitation path does not require remote code execution or other advanced privileges beyond those offered by the plugin’s improper access controls.